Smseow Peekaboo
WarnAudited by ClawScan on May 16, 2026.
Overview
This skill openly enables broad AI desktop control, including screenshots, clicks, typing, hotkeys, and desktop-control servers, but gives little scoping or confirmation guidance.
Install only if you intentionally want an agent to operate your desktop. Verify the external tools first, grant permissions only during a trusted session, keep sensitive apps closed, require confirmation before any click/type/hotkey action, and stop or revoke desktop-control access when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could click the wrong control, type into the wrong app, expose sensitive on-screen content, or trigger account and system actions.
These commands give the agent broad ability to view the screen and operate the user's desktop, including clicking, typing, and sending hotkeys, with no stated confirmation or scope limits.
peekaboo image --mode screen peekaboo click --on "按钮文字" peekaboo type --text "内容" peekaboo hotkey cmd,c
Use only in a controlled session, require explicit approval before clicks/typing/hotkeys, avoid sensitive apps while active, and prefer a VM or test account for automation.
Granting this permission can let the desktop-control tool act across applications, not just within one app.
The skill tells users to grant macOS accessibility-style control, which is expected for desktop automation but is a broad local privilege.
peekaboo permissions grant ... ⚠️ macOS 需要 15+,授权辅助功能
Grant permissions only to a verified trusted binary, monitor its use, and revoke the permission when desktop control is no longer needed.
A changed, compromised, or mistaken package could receive the same desktop-control permissions the user grants for this workflow.
The setup relies on unpinned third-party packages and a cloned GitHub repository for powerful desktop-control functionality.
npx -y @steipete/peekaboo pip install mcp-desktop-control npx -y mcp-desktop-pro serve git clone https://github.com/bhyoo/kwin-mcp python kwin-mcp.py
Verify the package/repository source, pin versions or commit hashes where possible, and review the tool before granting accessibility or desktop-control access.
Screen contents and desktop actions may flow through an MCP tool channel to the controlling agent, so misconfiguration could expose private on-screen information or control capability.
The Linux path uses MCP desktop-control tooling, but the artifact does not describe connection boundaries, client authorization, or how screenshot/control access is limited.
Linux (桌面 MCP) ... mcp-desktop-control ... npx -y mcp-desktop-pro serve
Run MCP desktop-control tools only locally or on a trusted channel, limit which agents can connect, and stop the server when not actively using it.